- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VM SSL Issue
I am using the Fortigate VM, 6.4.2 evaluation for practice (SSL-VPN is said to be supported with the evaluation license) but the fortigate is not accepting it's own generic cert. I am getting the following errors and not sure why Note: "xxx.xxx.xxx" is the remote Public IP address of the device that is using the FortiClient VPN that is attempting to SSL-VPN in. I have attempted the following: 1) override the MTU to 1500 (there were posts saying even though default is 1500, they had to do this) 2) set ssl-max-proto-ver tls1-0, -1, -2 and -3 3) I have read people changing the algorithm to medium but those were running earlier versions using the following command: conf ssl settings set algorithm medium [9165:root:c6]allocSSLConn:298 sconn 0x7ffa57e17a00 (0:root) [9165:root:c6]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [9165:root:c6]SSL state:before SSL initialization:DH lib(xxx.xxx.xxx.xxx) [9165:root:c6]SSL_accept failed, 5:(null) [9165:root:c6]Destroy sconn 0x7ffa57e17a00, connSize=0. (root) [9165:root:c7]allocSSLConn:298 sconn 0x7ffa57e17a00 (0:root) [9165:root:c7]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [9165:root:c7]client cert requirement: no [9165:root:c7]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write certificate (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write key exchange (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write server done (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write server done:system lib(xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write server done:DH lib(xxx.xxx.xxx.xxx) [9165:root:c7]SSL_accept failed, 5:(null) [9165:root:c7]Destroy sconn 0x7ffa57e17a00, connSize=0. (root) Thanks in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in general SSL is almost not or even not supported on the 14 day evaluation license.
when i spin one up i against best practice just enable HTTP for management. trying to get HTTPS working is near impossible, if at all it uses a silly low setting which no browser will accept.
SSLVPN requires HTTPS, so it might be there config wise but i expect you wont get it to work if you can't switch to HTTP instead, which seems not possible.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Boneyard, While I agree with you that the HTTPS management is not included, documentation from FG does not mention anything with the SSL-VPN. The expectations were laid out pretty clear in their documentation located on their site: "
The FortiGate-VM includes a limited, 15-day evaluation license that supports:
[ul]1 CPU maximum1024 MB memory maximumLow encryption only (no HTTPS administrative access) <----This is just GUI administrative access. I am not using the portal but instead using FortiClientSecurity protection:[ul]With the built-in signatures that the evaluation license includes, you can use the following features:[ul]IPSAntiVirusIndustrial DB[/ul]The following features do not have built-in signatures:[ul]Security ratingAntispamWeb Filter[/ul][/ul]Features related to FortiGuard access are not available. Go to System > FortiGuard in FortiOS for details.VDOM:[ul]You can enable split-task VDOM in the CLI.You cannot enable multi-VDOM.[/ul][/ul]Note the following:
[ul]Attempting to upgrade the FortiGate firmware locks the GUI until you upload a full license.The evaluation license does not include technical support. The trial period begins the first time that you start the FortiGate-VM.After the trial license expires, functionality is disabled until you upload a full license file.Features available in the evaluation state may change without prior notice."[/ul]
I'm trying not to rule out the SSL-VPN as not useable until there's some definitive proof. :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you want a definitive answer then Fortinet support is the way to go. you were able to download this so you have access to support right?
for reference that document: https://docs.fortinet.com...-vm-evaluation-license
doesnt state there is a maximum ammount of firewall policies within the 15 day evaluation and there certainly is. 100% clear and complete documentation is rare.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I have access to support but funny (or sadly) enough, when I inquired about this issue with them, they first said it could possibly be a TLS and SSL issue (well duh). Then when I asked them to be more specific, they said "We cannot create a ticket on this eval license and I will need to reach out to my Fortinet Business partner... Let's (FortiGate Support) not take into consideration that my company currently has 9 FortiGates that consist of a mixture of 101Fs and 601Es along with about 20+ 548D-FPOE's lol. Naaa screw my VM, lol no support for you! (me) They couldn't even answer if the SSL-VPN is supported or not